Merge pull request #98 from samwafgo/feat_ssl

feat:add ssl  auto apply

ThirdLicense

@@ -98,3 +98,29 @@ This project includes components from [corazawaf], which is licensed under the A
 
 GeoLite2-Country.mmdb
 This project includes ipv6 data from [maxmind]
+
+
+go-acme/lego
+
+The MIT License (MIT)
+
+Copyright (c) 2017-2024 Ludovic Fernandez
+Copyright (c) 2015-2017 Sebastian Erhart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

api/entrance.go

@@ -29,6 +29,7 @@ type APIGroup struct {
 	WafLoadBalanceApi
 	WafSslConfigApi
 	WafBatchTaskApi
+	WafSslOrderApi
 }
 
 var APIGroupAPP = new(APIGroup)
@@ -66,4 +67,6 @@ var (
 	wafSslConfigService = waf_service.WafSslConfigServiceApp
 
 	wafBatchTaskService = waf_service.WafBatchServiceApp
+
+	wafSslOrderService = waf_service.WafSSLOrderServiceApp
 )

api/waf_host.go

@@ -16,6 +16,7 @@ import (
 	"fmt"
 	"github.com/gin-gonic/gin"
 	"gorm.io/gorm"
+	"strings"
 )
 
 type WafHostAPi struct {
@@ -112,6 +113,43 @@ func (w *WafHostAPi) GetAllListApi(c *gin.Context) {
 	}
 	response.OkWithDetailed(allHostRep, "获取成功", c)
 }
+
+// GetDomainsByHostCodeApi 通过主机code获取所有关联的域名信息
+func (w *WafHostAPi) GetDomainsByHostCodeApi(c *gin.Context) {
+	var req request.WafHostAllDomainsReq
+	err := c.ShouldBind(&req)
+	if err == nil {
+		if req.CODE == "" {
+			response.FailWithMessage("请传入正确的主机信息", c)
+			return
+		}
+		wafHostBean := wafHostService.GetDetailByCodeApi(req.CODE)
+		if wafHostBean.Code == "" {
+			response.FailWithMessage("未找到该主机信息", c)
+			return
+		}
+		allHostRep := make([]response2.AllDomainRep, 0) // 创建数组
+
+		allHostRep = append(allHostRep, response2.AllDomainRep{
+			Host: fmt.Sprintf("%s", wafHostBean.Host),
+			Code: req.CODE,
+		})
+		//如果存在一个主机绑定了多个域名的情况
+		if wafHostBean.BindMoreHost != "" {
+			lines := strings.Split(wafHostBean.BindMoreHost, "\n")
+			for _, line := range lines {
+				allHostRep = append(allHostRep, response2.AllDomainRep{
+					Host: fmt.Sprintf("%s", line),
+					Code: req.CODE,
+				})
+			}
+		}
+		response.OkWithDetailed(allHostRep, "获取成功", c)
+	} else {
+		response.FailWithMessage("解析失败", c)
+	}
+
+}
 func (w *WafHostAPi) DelHostApi(c *gin.Context) {
 	var req request.WafHostDelReq
 	err := c.ShouldBind(&req)

api/waf_sslorder.go

@@ -0,0 +1,138 @@
+package api
+
+import (
+	"SamWaf/enums"
+	"SamWaf/global"
+	"SamWaf/model"
+	"SamWaf/model/common/response"
+	"SamWaf/model/request"
+	"SamWaf/model/spec"
+	"errors"
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+	"strings"
+)
+
+type WafSslOrderApi struct {
+}
+
+func (w *WafSslOrderApi) AddApi(c *gin.Context) {
+	var req request.WafSslorderaddReq
+	err := c.ShouldBindJSON(&req)
+	if err == nil {
+		hostBean := wafHostService.GetDetailByCodeApi(req.HostCode)
+		if hostBean.Id == "" {
+			response.FailWithMessage("查找主机未找到", c)
+			return
+		}
+		//检测是否有80端口
+		if w.check80Port(hostBean) == false {
+			response.FailWithMessage("未在主机上找到80端口配置，请在绑定更多端口里面增加80端口，再进行发起", c)
+			return
+		}
+		addResult, err := wafSslOrderService.AddApi(req)
+		if err == nil {
+			w.NotifyWaf(enums.ChanSslOrderSubmitted, addResult)
+			response.OkWithMessage("添加成功", c)
+		} else {
+			response.FailWithMessage("添加失败", c)
+		}
+		return
+
+	} else {
+		response.FailWithMessage("解析失败", c)
+	}
+}
+func (w *WafSslOrderApi) GetDetailApi(c *gin.Context) {
+	var req request.WafSslorderdetailReq
+	err := c.ShouldBind(&req)
+	if err == nil {
+		bean := wafSslOrderService.GetDetailApi(req)
+		response.OkWithDetailed(bean, "获取成功", c)
+	} else {
+		response.FailWithMessage("解析失败", c)
+	}
+}
+func (w *WafSslOrderApi) GetListApi(c *gin.Context) {
+	var req request.WafSslordersearchReq
+	err := c.ShouldBindJSON(&req)
+	if err == nil {
+		beans, total, _ := wafSslOrderService.GetListApi(req)
+		response.OkWithDetailed(response.PageResult{
+			List:      beans,
+			Total:     total,
+			PageIndex: req.PageIndex,
+			PageSize:  req.PageSize,
+		}, "获取成功", c)
+	} else {
+		response.FailWithMessage("解析失败", c)
+	}
+}
+func (w *WafSslOrderApi) DelApi(c *gin.Context) {
+	var req request.WafSslorderdeleteReq
+	err := c.ShouldBind(&req)
+	if err == nil {
+		err = wafSslOrderService.DelApi(req)
+		if err != nil && errors.Is(err, gorm.ErrRecordNotFound) {
+			response.FailWithMessage("请检测参数", c)
+		} else if err != nil {
+			response.FailWithMessage("发生错误", c)
+		} else {
+			response.OkWithMessage("删除成功", c)
+		}
+
+	} else {
+		response.FailWithMessage("解析失败", c)
+	}
+}
+
+func (w *WafSslOrderApi) ModifyApi(c *gin.Context) {
+	var req request.WafSslordereditReq
+	err := c.ShouldBindJSON(&req)
+	if err == nil {
+		err = wafSslOrderService.ModifyApi(req)
+		if err != nil {
+			response.FailWithMessage("续期发生错误", c)
+		} else {
+			//发起续期
+			renewAdd, err := wafSslOrderService.RenewAdd(req.Id)
+			if err == nil {
+				w.NotifyWaf(enums.ChanSslOrderrenew, renewAdd)
+				response.OkWithMessage("续期成功", c)
+			} else {
+				response.FailWithMessage("续期失败", c)
+			}
+
+		}
+
+	} else {
+		response.FailWithMessage("续期解析失败", c)
+	}
+}
+
+/*
+*
+发送SSL证书订单通知
+*/
+func (w *WafSslOrderApi) NotifyWaf(chanType int, bean model.SslOrder) {
+	var chanInfo = spec.ChanSslOrder{
+		Type:    chanType,
+		Content: bean,
+	}
+	global.GWAF_CHAN_SSLOrder <- chanInfo
+}
+
+// 检测是否有80端口
+func (w *WafSslOrderApi) check80Port(hosts model.Hosts) bool {
+	splitPort := strings.Split(hosts.BindMorePort, ",")
+
+	for _, port := range splitPort {
+		if port == "80" {
+			return true
+		}
+	}
+	if hosts.Port == 80 {
+		return true
+	}
+	return false
+}

docs/compile.md

@@ -87,7 +87,7 @@ docker run --rm -v %cd%:/workspace samwaflocalcompile
 ## 集成的三方库
 前端: 使用TDesign Vue Starter
 后端: gorm,excelize(360EntSecGroup-Skylar),godlp(bytedance),gin,gocron,
-     grule-rule-engine,ip2region,sqlitedriver,viper,libinjection-go,corazawaf
+     grule-rule-engine,ip2region,sqlitedriver,viper,libinjection-go,corazawaf,go-acme/lego
 数据：
 ipv6(GeoLite2-Country.mmdb) by maxmind 
 ## TODO List

enums/sslorder_enum.go

@@ -0,0 +1,6 @@
+package enums
+
+const (
+	ChanSslOrderSubmitted = iota
+	ChanSslOrderrenew
+)

global/config.go

@@ -15,5 +15,7 @@ var (
 	GCONFIG_RECORD_LOGIN_MAX_ERROR_TIME int64 = 3 //登录周期里错误最大次数
 	GCONFIG_RECORD_LOGIN_LIMIT_MINTUTES int64 = 1 //登录错误记录周期 单位分钟最小1
 
-	GCONFIG_RECORD_ENABLE_OWASP int64 = 0 //启动OWASP数据检测
+	GCONFIG_RECORD_ENABLE_OWASP        int64 = 0  //启动OWASP数据检测
+	GCONFIG_RECORD_ENABLE_HTTP_80      int64 = 0  //启动80端口服务（为自动申请证书使用 HTTP文件验证类型，DNS验证不需要）
+	GCONFIG_RECORD_SSLOrder_EXPIRE_DAY int64 = 30 // 提前多少天进行自动申请
 )

global/global.go

@@ -77,6 +77,7 @@ var (
 	GWAF_CHAN_UPDATE    = make(chan int, 10)                 //升级后处理链
 	GWAF_CHAN_SENSITIVE = make(chan int, 10)                 //敏感词处理链
 	GWAF_CHAN_SSL       = make(chan string, 10)              //证书处理链
+	GWAF_CHAN_SSLOrder  = make(chan spec.ChanSslOrder, 10)   //SSL证书申请
 	/*****CACHE相关*********/
 	GCACHE_WAFCACHE      *cache.WafCache      //cache
 	GCACHE_WECHAT_ACCESS string          = "" //微信访问密钥
@@ -101,6 +102,9 @@ var (
 	GNOTIFY_KAKFA_SERVICE           *wafnotify.WafNotifyService                                  //通知服务
 	GNOTIFY_SEND_MAX_LIMIT_MINTUTES                             = time.Duration(5) * time.Minute // 规则相关信息最大发送抑止 默认5分钟
 
+	/*********SSL相关*************/
+	GSSL_HTTP_CHANGLE_PATH string = "/.well-known/acme-challenge/" // http01证书验证路径
+
 	/******数据库处理参数*****/
 	GDATA_BATCH_INSERT       int                 = 1000        //最大批量插入
 	GDATA_SHARE_DB_SIZE      int64               = 100 * 10000 //100w 进行分库 100*10000

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/denisbrodbeck/machineid v1.0.1
 	github.com/dsnet/compress v0.0.1
 	github.com/gin-gonic/gin v1.8.1
+	github.com/go-acme/lego/v4 v4.20.4
 	github.com/go-co-op/gocron v1.17.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/hyperjumptech/grule-rule-engine v1.11.0
@@ -20,15 +21,15 @@ require (
 	github.com/pengge/sqlitedriver v0.0.0-20231127095117-b0f000e40c2c
 	github.com/satori/go.uuid v1.2.0
 	github.com/shirou/gopsutil v3.21.11+incompatible
-	github.com/spf13/viper v1.13.0
+	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.9.0
 	github.com/twmb/franz-go v1.18.0
 	go.uber.org/zap v1.21.0
-	golang.org/x/mod v0.18.0
+	golang.org/x/mod v0.21.0
 	golang.org/x/net v0.31.0
 	golang.org/x/sys v0.27.0
 	golang.org/x/text v0.20.0
-	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
+	golang.org/x/time v0.7.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55
 )
@@ -37,50 +38,54 @@ require (
 	github.com/anknown/darts v0.0.0-20151216065714-83ff685239e6 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220527190237-ee62e23da966 // indirect
 	github.com/bmatcuk/doublestar v1.3.2 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/corazawaf/libinjection-go v0.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-playground/validator/v10 v10.10.0 // indirect
-	github.com/goccy/go-json v0.9.7 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/uuid v1.1.2 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.16.0 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
 	github.com/klauspost/compress v1.17.8 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/magefile/mage v1.15.1-0.20231118170541-2385abb49a1f // indirect
-	github.com/magiconair/properties v1.8.6 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.18 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/oschwald/maxminddb-golang v1.13.0 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sergi/go-diff v1.0.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/spf13/afero v1.8.2 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
-	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
@@ -91,11 +96,13 @@ require (
 	github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect
 	github.com/xanzy/ssh-agent v0.2.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/exp v0.0.0-20240213143201-ec583247a57a // indirect
 	golang.org/x/sync v0.9.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/tools v0.25.0 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1 // indirect